Scope
To establish acceptable practices regarding the use of Southwestern Community College information resources in order to protect the confidentiality, integrity, and availability of information created, collected, and maintained.
Institutional Regulations
The Southwestern Community College Acceptable Use Policy applies to any individual, entity, or process that interacts with any of Southwestern Community College information resources.
Procedures
Acceptable Use
Personnel are responsible for complying with Southwestern Community College information resources and/or on Southwestern Community College time. If requirements or responsibilities are unclear, please seek assistance from the Information Security Committee.
Personnel must promptly report the theft, loss, or unauthorized disclosure of Southwestern Community College confidential or internal information to their immediate supervisor or a budget authority.
Personnel should not purposely engage in activity that may:
- Harass, threaten, or abuse others; (matters of discrimination, harassment, bullying and/or sexual offense that arise in the educational setting shall be referred to the equity/Title IX coordinator as needed.)
- Degrade the performance of Southwestern Community College information resources;
- Deprive authorized Southwestern Community College personnel access to Southwestern Community College information resource;
- Obtain additional resources beyond those allocated;
- Or circumvent Southwestern Community College computer security measures.
Personnel should not download, install, or run security programs or utilities that reveal or exploit weaknesses in the security of a system. For example, Southwestern Community College personnel should not run password cracking programs, packet sniffers, port scanners, or any other non-approved programs on any Southwestern Community College information resource.
All inventions, *intellectual property, and proprietary information, including reports, drawings, blue prints, software codes, computer programs, data, writings, and technical information, developed on Southwestern Community College time and/or using Southwestern Community College information resources are the property of Southwestern Community College.
*(In reference to intellectual property, it is recognized that materials developed for all courses taught for the college by a SWCC instructor shall be vested with the instructor.)
Use of encryption should be managed in a manner that allows designated Southwestern Community College personnel to promptly access all data.
Southwestern Community College information resources are provided to facilitate college business and should not be used for personal financial gain.
Personnel are expected to cooperate with incident investigations including any federal or state investigations.
Personnel are expected to respect and comply with all legal protections provided by patents, copyrights, trademarks, and intellectual property rights for any software and/or materials viewed, used, or obtained using Southwestern Community College information resources.
Personnel should not intentionally access, create, store or transmit material which Southwestern Community College may deem to be offensive, indecent, or obscene.
Access Management
Access to information is based on an individual's need to know, per job description or as determined by their budget authority or his/her designee.
Personnel are permitted to use only those network and host addresses issued to them by Southwestern Community College IT and should not attempt to access any data or programs contained on Southwestern Community College systems for which they do not have authorization or explicit consent.
All remote access connections made to internal Southwestern Community College networks and/or environments must be made through approved, and Southwestern Community College-provided, virtual private networks (VPNs) on a temporary basis only. VPN access will be set up according to the time frame established by the respective budget authority.
Personnel should not divulge any access information to anyone not specifically authorized to receive such information.
Personnel must not share their Southwestern Community College authentication information, including:
- Account passwords,
- Personal Identification Numbers (PINs),
- Access cards and/or keys,
- Similar information or devices used for identification and authentication purposes.
Lost or stolen access cards, security tokens, and/or *keys must be reported to the person responsible for information resource physical facility management as soon as practical.
*Please also refer to Business Office Procedure B-36 Keys.
A service charge may be assessed for access cards, security tokens, and/or keys that are lost, stolen, or are not returned.
Authentication/Passwords
All personnel are required to maintain the confidentiality of personal authentication information.
Any group/shared authentication information must be maintained solely among the authorized members of the group.
All passwords including initial and/or temporary passwords, must be constructed, and implemented according to the following Southwestern Community College rules:
- Must meet all requirements established in the Southwestern Community College Authentication Standard, including minimum length, complexity, and rotation requirements.
- Must not be easily tied back to the account owner by using things like: user name, social security number, nickname, relative's names, birth date, etc.
- Should not include common words, such as using dictionary words or acronyms.
- Should not be the same passwords as used for non-business purposes.
Passwords must be changed at least semi-annually.
Password history must be kept to prevent the reuse of passwords.
Unique passwords should be used for each system, whenever possible.
User account passwords must not be divulged to anyone. Southwestern Community College support personnel and/or contractors should never ask for user account passwords.
Security tokens (i.e. Smartcard) must be returned on demand or upon termination of the relationship with Southwestern Community College, if issued.
If the security of a password is in doubt, the password should be changed immediately.
Personnel should not circumvent password entry with application remembering, embedded scripts, or hard coded passwords in client software.
Clear Desk/Clear Screen
Personnel should log off/sign out from applications or network services when they are no longer needed.
Personnel should log off/sign out or lock their workstations and laptops when their workspace is unattended.
Confidential or internal information should be removed or placed in a locked drawer or file cabinet when the workstation is unattended and at the end of the workday if physical access to the workspace cannot be secured by other means.
Personal items, such as phones, wallets, and keys, should be removed or paced in a locked drawer or file cabinet when the workstation is unattended.
File cabinets containing confidential information should be locked when not in use or when unattended.
Physical and/or electronic keys used to access confidential information should not be left on an unattended desk or in an unattended workspace if the workspace itself is not physically secured.
Passwords must not be posted on or under a computer or in any other physically accessible location.
Copies of documents contacting confidential information should be immediately removed from printer and fax machines.
Data Security
Personnel should use approved encrypted communication methods whenever sending confidential information over public computer networks (Internet).
Only authorized cloud computing applications may be used for sharing, storing, and transferring confidential or internal information.
Information must be appropriately shared, handled, transferred, saved, and destroyed, based on the information sensitivity.
Personnel should not have confidential conversations in public places or over insecure communication channels, open offices, and meeting places.
Confidential information must be transported either by a Southwestern Community College employee or a courier approved by SWCC cabinet.
All electronic media containing confidential information must be securely disposed. Please contact IT for guidance or assistance.
Email and Electronic Communication
Electronic communications should not misrepresent the originator or Southwestern Community College.
Personnel are responsible for the accounts assigned to them and for the actions taken with their accounts.
Account must not be shared without prior authorization from Southwestern Community College IT or budget authority, with the exception of calendars and related calendaring functions.
Employees should not use personal email accounts to send or receive Southwestern Community College confidential information.
Any personal use of Southwestern Community College provided email should not:
- Involve solicitation.
- Be associated with any political entity, excluding the Southwestern Community College sponsored PAC.
- Have the potential to harm the reputation of Southwestern Community College.
- Forward chain emails.
- Contain or promote anti-social or unethical behavior.
- Violate local, state, federal, or international laws or regulations.
- Result in unauthorized disclosure of Southwestern Community College confidential information.
Personnel should only send confidential information using secure electronic messaging solutions.
Personnel should use caution when responding to, clicking on links within, or opening attachments included in electronic communications.
Personnel should use discretion in disclosing confidential or internal information in out-of-office or other automated responses, such as employment data, location information, or other sensitive data.
Hardware and Software
All hardware must be formally approved by IT management and employee's immediate supervisor before being connected to Southwestern Community College networks.
Software installed on Southwestern Community College equipment must be approved by IT management and employee's immediate supervisor prior to being installed.
All Southwestern Community College assets taken off-site should be physically secured at all times.
Employees should not allow family members or other non-employees to access Southwestern Community College information resources.
Internet
The internet must not be used to communicate Southwestern Community College confidential or internal information, unless the confidentiality and integrity of the information is ensured and the identity of the recipient(s) is established.
Use of the internet with Southwestern Community College networking or computing resources must only be used for college-related activities. Unapproved activities include, but are not limited to:
- Any illegal activities,
- Access or distributing pornographic or sexually oriented materials,
- Attempting or making unauthorized entry to any network or computer accessible from the internet.
Employees use of social media forums, including social networking websites such as Instagram and Facebook, personal web pages or blogs, and electronic messaging are subject to the normal requirements of legal and ethical behavior within the college community. Employees should be guided by applicable laws, college policy, and sound professional judgement when using social media.
Access to the internet from outside the Southwestern Community College network using a Southwestern Community College owned computer must adhere to all of the same policies that apply to use from with Southwestern Community College facilities.
Mobile Devices and Bring Your Own Device (BYOD)
Southwestern Community College does not allow personally-owned mobile devices to connect to the Southwestern Community College private internal network. User may acquire a waiver as shown in the BYOD policy.
Mobile devices that access Southwestern Community College email must have a PIN or other authentication mechanism enabled.
Confidential data should only be stored on devices that are encrypted in compliance with the Southwestern Community College Encryption Standard.
Theft or loss of any mobile device that has been used to create, store, or access confidential or internal information must be reported to the Southwestern Community College information security team immediately.
All mobile devices must maintain up-to-date versions of all software and applications.
All personnel are expected to use mobile devices in an ethical manner.
Jail-broken or rooted devices should not be used to connect to Southwestern Community College information resources.
Southwestern Community College IT management may choose to execute remote wipe capabilities for mobile devices without warning (see Mobile Device Email Acknowledgement).
In the event that there is a suspected incident or breach associated with a mobile device, it may be necessary to remove the device from the personnel's possession as part of a formal investigation.
All mobile device usage in relation to Southwestern Community College information resources may be monitored, at the discretion of Southwestern Community College IT management.
Southwestern Community College IT support for personally-owned mobile devices is limited to assistance in complying with this policy. Southwestern Community College IT support may not assist in troubleshooting device usability issues.
Use of personally-owned devices must be in compliance with all other Southwestern Community College policies.
Southwestern Community College reserves the right to revoke personally-owned mobile device use privileges in the event that personnel do not abide by the requirements set forth in this policy.
Texting or emailing while driving is not permitted while on company time or using Southwestern Community College resources. Only hands-free talking while driving is permitted, while on company time or when using Southwestern Community College resources.
Physical Security
Photographic, video, audio, or other recording equipment, such as cameras in mobile devices, is not allowed in secure areas other than IT personnel. Wiring closets, server room, etc. Reference Physical Security Policy (IS 11).
Visitors accessing confidential areas of facilities must be accompanied by authorized personnel at all times. Wiring closets, server room, HR, etc. Reference Physical Security Policy (IS 11).
Eating or drinking are not allowed in data centers. Caution must be used when eating or drinking near workstations or information processing facilities.
Privacy
Information created, sent, received, or stored on Southwestern Community College information resources are not private and may be accessed by IT employees at any time, under the direction of administration and/or human resources, without knowledge of the user or resource owner.
Southwestern Community College may log, review, and otherwise utilize any information stored on or passing through its information resource systems.
Systems administrators, Southwestern Community College IT, and other authorized Southwestern Community College personnel may have privileges that extend beyond those granted to standard business personnel. Personnel with extended privileges should not access fields and/or other information that is not specifically required to carry out an employment related task.
Information Security Training and Awareness
All new personnel must complete an approved information security awareness training prior to, or at least within 30 days of, being granted access to any Southwestern Community College information resources.
All personnel must be provided with and acknowledge they have received and agree to adhere to the Southwestern Community College Information Security Policies before they are granted access to Southwestern Community College information resources.
All personnel must complete the annual information security awareness training.
Social Media
Communications made with respect to social media should be made in compliance with all applicable Southwestern Community College policies.
Personnel are personally responsible for the content they publish online.
Creating any public social media account intended to represent Southwestern Community College, including accounts that could reasonably be assumed to be an official Southwestern Community College account, requires the permission of Southwestern Community College marketing department.
When discussing Southwestern Community College or Southwestern Community College-related matters, you should:
- Identify yourself by name,
- Identify yourself as a Southwestern Community College representative, and
- Make it clear that you are speaking for yourself and not on behalf of Southwestern Community College unless you have been explicitly approved to do so.
Personnel should not misrepresent their role at Southwestern Community College.
When publishing Southwestern Community College-related content online in a personal capacity, a disclaimer should accompany the content. An example disclaimer could be; The opinions and content are my own and do not necessarily represent Southwestern Community College's position or opinion.
Content posted online should not violate any applicable laws (i.e. copyright, fair use, financial disclosure, or privacy laws).
Discriminatory remarks on the basis of race, color, national origin, sex, disability, age in employment, sexual orientation, gender identity, genetic information, creed, religion, veteran status, associational preference actual or potential, parental, family or marital status in published content that is affiliated with Southwestern Community College will not be tolerated.
Confidential information, internal communications, and non-public financial or operational information may not be published online in any form.
Personal information may not be published online unless required by law or appropriate permissions have been obtained.
Personnel approved to post, review, or approve content on Southwestern Community College's social media sites must follow the Southwestern Community College Social Media Etiquette Procedure (HR 33).
Voice Mail
Personnel should use discretion in disclosing confidential or internal information in voice mail greetings, such as employment data, location information, or other sensitive data.
Personnel should not access another user's voicemail account unless it has been explicitly authorized.
Incidental Use
As a convenience to Southwestern Community College personnel, incidental use of information resources is permitted. The following restrictions apply:
- Incidental personal use of electronic communications, internet access, fax machines, printers, copiers, and so on, is restricted to Southwestern Community College approved personnel; it does not extend to family member or other acquaintances.
- Incidental use should not result in direct costs to Southwestern Community College.
- Incidental use should not interfere with the normal performance of an employee's work duties.
- No files or documents may be sent or received that may cause legal action against, or embarrassment to, Southwestern Community College or its customers.
Storage of personal email messages, voice messages, files and documents within Southwestern Community College information resources must be nominal.
All information located on Southwestern Community College's information resources are owned by Southwestern Community College and may be subject to open records requests, and may be accessed in accordance with this policy.
Enforcement
Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.
Any vendor, consultant, or contract found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.